IPsec questions and answers

I know there are a few threads out regarding IPsec. I have an interest in it lately, and wonder if there are any here who have delved deeply into using ipseccmd.exe with xp sp2. Both Dynamic and Static scripting. Specifically, how you went about developing methods to apply different policies and how you managed them.

I will post as much info here as I can. I am currently deep into the ipsec usage especially with the scripting tool ipseccmd.exe that xp uses. My goal is to either augment windows firewall or just in general learn how to use something built into the OS.

I am almost complete with the first step, which is to understand how to use ipseccmd to structure some rules. Ipsec is basically a dumb packet filter, but what I have read that it resides at kernel level. I have seen snippets that state this method has much less overhead than normal firewalls. I don't have the knowledge to say much in that regard.

It is interesting the approach one takes with ipsec. It is exact opposite of a normal 3rd party firewall. Instead of everything blocked unless told otherwise, by default ipsec let's everything through. While windows firewall does an ok job at simply blocking inbound requests, everyone knows there is no outbound control whatsoever. Ipsec does allow this, in the same way a firewall such as AS3 or SoftPerfect would. There are no methods to capture what application is requesting a connection (in or out), so you just allow or block ports.

What makes this interesting is that using the ipseccmd tool, one can make 'STATIC' rules, which go into a database of sorts and are, well, static. And then you can make 'DYNAMIC' rules, which are more of a session rule. Reboot or restart the service (policyagent for those that use the tool sc), and those session rules are gone. Even a simple command of ipseccmd.exe -u rids all of the session rules in a snap.

How it lays out the rules is fairly typical of a firewall, only backwards. You start a 'POLICY', and give it a sort of 'master rule', which is basically block everything. Then you start your exceptions. You poke a hole here or there depending on your needs. I am most curious to see how using dynamic rules will work in day to day use. It would be nothing to create a batch file for a certain program that opens some ports, and these openings could be only present when one wished to start that app. And they could be gone with a simple command or when you reboot.

Obviously the need to have holes open for your normal traffic in day to day use is really essential, or you could find it cumbersome. But for certain apps that you only want holes open at certain times, it seems a clever way. Even to the point of having a service running that has an open port, and your router is port forwarding to your box for that service. With some slieght of hand and a little batch script, you could leave everything in the router in place, leave the service running, and just open a temporary hole when you need it.

More to come for anyone who has been looking for some concepts on how to use ipsec. There are many resources available, but most are very techincal and require some time to digest. Maybe this will be a quick place to find some quick and simple answers.

Here is a start. A small tray icon for windows firewall and ipsec. With it you can enable or disable the firewall, show the firewall control panel. Also are 3 'rulesets'; Allow All traffic, Allow LAN only traffic and Block all traffic. These are dynamic ipsec policies, meaning they are gone with a reboot or entering the command ipseccmd.exe -u.

2. extract this update. Then inside this extract support.cab. Inside support.cab is the file ipseccmd.exe. This must be placed in a path. Copy it to windows or windows\system32.

3. The IPSec service must be running. You can use the run box -> services.msc or you can from command prompt use
sc config policyagent start= auto
sc start policyagent

That should be it. As long as the ipseccmd.exe is in windows or windows\system32 and the ipsec service is running, all should work.

Here is a registry edit that you can run after you have enabled the IPsec service. It gets rid of all the default policies/rules. To interface with IPsec you can use secpol.msc or gpedit.msc. You can reset everything to default if needed in that interface.

I remember being interested in IPSEC many years back when I was running Win2k and thinking I might use that instead of a firewall. I did a bit of experimenting with it, not much, but then dropped it, as it seemed fairly primitive compared to other rule based firewalls available. There weren't many options beyond simple port rules. For example, I don't remember being able to set up port ranges. Similarly with IPs and so on. It's interesting, but so much easier to just use something like Kerio 2 or Jetico nowadays.

Yes I would agree with you. Up till now I have not been interested in it at all. In looking at different methods to allow my kids online access, ipsec has offered some ease of use at a core level. And I do find it interesting that there are so many things I have done in the past, that had I taken the time to study ipsec a little, I would have used it. So yeah, I hear what you are saying. But after looking at countless pages and articles, I wanted to both get other's insights as well as hopefully have a good thread that others might find valuable info in.

Some further playing. I use Hamachi to transfer files between buddies, especially new tools I make or scripts. We also play some LAN games with it. I decided to see if I could use IPsec to only allow Hamachi traffic and block everything else.

Hamachi makes a virtual network adapter, so it was a fun test. And it works. Using a few IPsec commands, Hamachi traffic is allowed and my normal NIC ip is blocked. Here is an example of what a scripted dynamic rule looks like.

More rules need to be implemented for each Hamachi IP that you wish to communicate with.

Maybe not really useful, but for sake of learning, it is nice to know that IPsec does work with a virtual adapter. I assume the same would be applicable to something like a vmWare network adapter too, although I have not tried yet.

Is anyone out there good with REG_BINARY values? Umm, anyone understand Little Endian structured hexadecimal? lol, anyone know how to read a tech sheet on the structure of a binary string, and interperet what is being said. I found the techs on exactly what the reg key I need to parse is supposed to be, but Little Endian is seriously throwing me here. I know it is reverse of Big Endian or even Unicode/UTF, but there seems to be some ambiguity in this.

Currently I have some WMI objects to return most vals to me via a script. I am working on how the ipseccmd.exe show filters output can relate to the ipsecFilters\ipsecData REG_BINARY key value. This output is needed to get the specifics of current STATIC rules/filters. Without it, parsing and matching reg values will be impossible.

Right now I can enable/disable a policy, and enable/disable each rule in the policy. However, without a properly working parse of the ipsecData key, I have no way to properly match it up. Unfortunately, the ipseccmd filters are non-specific, with only a GUID starting with text2pol{GUID}.

Does anyone know if there is a way to get the netsh commands from server 2k3 to work in xp pro? In server 2k3 netsh has an ipsec parameter. This would be the way to go over ipseccmd without a doubt.

Refining of rules seems easy to do. It is the implementation, and especially the leaving of the snap-in that I am most interested in. That mmc absolutely blows. I will make one that works and is easy to use. It all hinges on deciphering what the docs are telling me about this regkey.

So, I have been making a tool to manage different ipSec polices and rules, as I cannot stand the snap-in that MS gives for doing this. Here is a small batch file that uses ipseccmd.exe to put in place some polices. Note that ipseccmd.exe MUST be in a path somewhere (ie. c:\, c:\windows, c:\windows\system32)

If you were to run this .bat file, these policies would be made, but none of them would be assigned. You must have the ipsec service running to do this of course.

Here is a link to a beta program I am making for easy access to these polices/rules. If you already have some ipSec rules in place, you might want to export your current registry values before playing. It has cause no errors yet, but I certainly would not want to create problems for anyone if it did.

More to come. Learning a little more about the ipseccmd, about the trouble with pulling out the values for each rule from the REG_BINARY keys. Thinking of adding more features to the program so one can create a batch file easier. Been using ipSec on a few computers more and more as a base defense prior to windows firewall. So far, it seems fast and once I understand why and how it does or does not perform, just gets better.

These will close tcp and udp ports between yourself and .4. If this is the only rule, it will work.

You could use this snippet to open up all local communication to that subnet on all ports. Of course you could also just apply .4 instead of .* this would allow other ipsec rules to stay in place while still allowing all activity to .4

Remember, ping is of type ICMP. It has not ports to define, only types (like 0 or 8 ). Here is a rule for pinging, but not file sharing. File sharing (netbios) would be opened only for ports 137 & 138 udp, 139 tcp.

now i am searching a way to control bandwidth (from cmd line) of ips connected to my pc... is that possible ?

I ve found in Windows Resource kit a utility named tcmon (that uses tccom and QOS)... i ve found too the tcmonlite (a small software that says working at cmd line but i can't make it work - taking error)...

I am trying too, to find API reference for Visual Basic 6 (that i am very familiar) but no api or sample for TC API (tccom service)... to create my own utility for that traffice management... or if i could find a third part free cmd line tool managing the bandwidth for ips...

(That all ofcourse helps if all client pc routed through my pc [2 nics] - that thing i can do it if Windows Xp Enabled like IPRouter through registry) - This i ve made it well!

I am not completely sure of this, but you might look at some registry values. TCPIP or NETBT have many values, and even more undocumented that are available from Mr Google. I have messed with these countless times, trying to achieve fast gigabit speeds. I know that often I have wondered if some of these settings might not limit bandwidth.

As a definate method on a local network you could set the nic to 10mb only. Even forcing to half-duplex will sometimes slow things down, depending on hardware. If your focus is for internet, I am not sure. It is usually so far under even 10mb.

Yes, I would poke around and see what could be set from within the registry. Even examining driver .inf files for different cards can produce some values that can be used that you often do not see. I have a .inf to .reg converter I made if you need it. Never tried it on driver .inf files, too many different sections. But you never know.

my problem is not internet bandwidth - but i want to make more complicated connections with my server-pc/clients... For example i want 192.168.168.2 have 8mbps and 1mbps upload or 192.168.168.3 have 90Mbps and 10Mbps... something like bandwidth manager / netlimiter software or bandwidth controller that selling at internet software stores...

But all these i want to make my self or with a help of lightweight utility... i don't think registry can help... :-( or i don't know the way..

Well as you know (i hope that ;-) ) with ipsec you can set a Preshare string key (like wep) so all data in LAN will encrypted - so all computers must run this ipsec policy with preshared key!

example:
So i have two lans one private and one public (internet cafe customers) - i want the private using the preshared key (this i am doing it well) but i want one pc from can have access (PASS without encryption - setting an exception at private pcs that this IP will pass)

the command (it works ok - tested for a network 192.168.0.0/255.255.0.0:

@sully
ok i ll be waiting for an answer too.. if you find anything - but after a lot of searching i ve understand why microsoft didn't proudly present that options... because they haven't really advance options :-(